Laying Out The Welcome Mat For The Black Hats

Friday, 19 August 2022
By Andrew Jenkinson

images

The Old Lady of Threadneedle Street was founded as a private bank in 1694 to act as a bank to the UK Government. Today the Bank of England is the UK’s central bank and contributes to the UK’s economic policies, monetary policies, sets interest rates and offers liquidity support. Possibly as important as all of these combined, the Bank of England is responsible for ensuring a resilient financial system. So why has the old lady opened her windows, unbolted her doors and laid her jewellery out on the hall table?

Over the last decade hundreds of Financial Institutions have suffered Digital Intrusions (Cyberattacks), paid Ransom for the promise of returned data and sometime thereafter swept away the damages, losses, costs, and reputational damages. Everyone gets hacked right? Well actually no, they do not.

Organisations that suffer cyberattacks typically have a single defining feature whether they are in healthcare, law enforcement, finance or retail . They all maintain INSECURE AND UNSECURED connections to the Internet.

Let me expand upon this a tad. All companies in today's digitally-dependent world, rely upon websites and emails. These Websites and Emails are connected to the Internet and although these may be seemingly secure, behind the scenes, they are often not.

images (1)

Websites connect to the Internet and to make sure life is easy for people, instead of using IP (Internet Protocol) address made up of a series of 4 numbers punctuated by a full stop, a simplified system, known as Domain Name Systems, was invented back in 1983 by Dr Paul Mockapetris. This enabled a user to type in a URL (Uniform Resource Locator) address. For example, it is far easier to type in www.cybersecip.com as opposed to typing in, and trying to remember the IP of 198.49.23.144

In January 2022 both The White House and The EU Commission published independent papers on DNS Attacks and Abuse. These papers were published within days of the Russian Cyberwar attacks against Ukraine. The Russian cyberattacks exploited over seventy Ukraine Government Websites that were insecure and not only easily identified as being not secure, but just as easily exploited.

PKI is the second area that ensures security, authentication, and the all-important critical encryption. PKI is the digital equivalent of the Enigma machine.

DNS was one of the first Internet Protocols in 1986, PKI followed a decade or so later in the mid 1990’s. PKI is made up of Digital Certificates and Digital Keys. One can also think of PKI as digital passports for devices and people. Border patrol and passport control want to ensure all passports are valid. The digital world is no different - although somewhat quicker.

In 2018 Google and others finally enforced the use of HTTPS (Hypertext Transfer Protocol Secure, an upgrade from the weaker and Insecure HTTP). From 2018 onwards, any website that did not use the latest, and Secure Internet Protocol, HTTPS, would display a Not Secure text in their website address bar - that little padlock icon next to the address bar - you can click on it to find out more.

When a "Not Secure" text is displayed it not only confirms a lack of encryption, but also a target and potential easy infiltration. 2018 will go down as the year "Not Secure" and poorly managed websites were easily identified, targeted, and exploited. Currently, around one hundred thousand websites each day are being prised at by cyber criminals to see which are Not Secure and which they can easily access.

In May 2021 we informed several members of the security team at the Bank of England that they were maintaining Not Secure websites. After sending literally dozens of emails, several months later they finally addressed the websites we informed them of. The Bank of England did not engage, formally or otherwise. The Bank of England showed no appreciation or gratitude whatsoever.

In a recent interview with fellow Security author Kim Zetter, Chris Inglis, The White House’s National Cyber Director stated, ‘’The way forward for cyber security is defence, defined roles and responsibilities and investing in resilience and robustness.’

Our offer to assist the Bank of England, as specialists within the Internet Security field and with a particular emphasis on DNS and PKI fell on deaf ears. It was disappointing to email the Bank of England again yesterday informing them of further DNS and PKI issues and sharing the below screenshot evidencing the position.

Picture1

Many people outside of the security industry may possibly look bemused by the above screenshot. This SSL (Secure Socket Layer) screenshot dated Mon 15 Aug 14:17 2022 shows this Bank of England domain lacks the critical digital certificate, but also relies upon depreciated SSL 1.0 & 1.1 (second column). SSL 1.0 & 1.1 were deprecated in 2012, a decade ago. They finally, after several extensions, reached their End of Life in October 2021 as stated by the Internet Engineering Task Force (IETF). In 2013 a US Agency suffered a cyberattack that exploited the known weaknesses in SSL 1.0.

Central Banks are not immune, nor do they have a get out of jail free card they can play if, and when they suffer a digital intrusion or cyberattack. Indeed, several Central Banks have suffered cyberattacks.

I have obfuscated the above Insecure Bank of England SSL screenshot that is directly linked to https://bankofengland.co.uk as, despite warning the Bank of this danger at the start of the year, this information has still not been acted upon. As a result the Bank of England website has remained vulnerable since January 2022. It is disappointing that the UK's central bank fails to react to basic security controls and governance over cyber risk.

The world’s largest cyberattack to date was discovered in December 2020 when the SolarWinds incident surfaced. At the time our research showed that SolarWinds had at least twelve Not Secure websites, numerous insecure servers, and DNS positions. I authored a White Paper for the Senate Intelligence Committee at the time in January 2021 which provided evidence of subdomain hijacking and domain admin access achieved. The root cause and the symptoms if you will. Within weeks the contents of my paper were proven to be factual.

What is the real danger to the Bank of England? Well, the facilitation of digital intrusions and the ability to gain carbon copies of all correspondence, influence changes to communications on the fly, and to cause general havoc, shutdowns, failures, and mayhem.

The SolarWinds cyberattack directly impacted 18,000 SolarWinds clients including the US Treasury and Government. The estimated total costs and losses run into hundreds of $billions. Some estimates put this figure at over $trillion. Should the Bank of England suffer a digital intrusion that exploits their current insecure position, the outcome could be catastrophic.